Security Basics mailing list archives

RE: Strange pings from 127.0.0.1

From: "David Gillett" <gillettdavid () fhda edu>
Date: Thu, 24 Jun 2004 08:34:47 -0700

  If it's an internal machine (a big if, granted!), then 
you may be able to query your switch infrastructure to find
the physical port where that MAC address was learned as a
source.  Even if they spoof the same MAC address as an existing
legit user, that should narrow it down to 2 possibilities (and
if one of those ports has been seeing multiple sources...).
  If they spoof a broadcast/multicast source MAC address, this
should not be learned by the switch, and so they will be harder
to track, but those cases are somewhat more specific than just
"they are spoofing".

David Gillett

-----Original Message-----
From: Kelly John Rose [mailto:mllists () ptbcanadian net]

Nope, that's completely useless. You can for one spoof mac 
addresses, so having any mac address is more or less 
meaningless. But, also, there is no reliable way to use the 
mac address to find the machine, unless it's an internal 
machine, you having the mac addresses of all internal 
machines written down, and the person is not spoofing.

Eitherway, having the mac address doesn't help you at all 
tracking down the culprit really.


Andrew Aris wrote:

I'm coming into this thread partway through so sorry if this 
is a dumb reply but if the mAC address is always the same 
then surely this could be used to trace the culprit host?



---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

Current thread:

Re: Strange pings from 127.0.0.1 Tim Schwimer (Jun 14)
- Re: Strange pings from 127.0.0.1 Murad Talukdar (Jun 18)
- <Possible follow-ups>
- Re: Strange pings from 127.0.0.1 Timothy Schwimer (Jun 18)
  - Re: Strange pings from 127.0.0.1 Ranjeet Shetye (Jun 21)
    - Re: Strange pings from 127.0.0.1 Nelson Santos (Jun 23)
    - RE: Strange pings from 127.0.0.1 David Gillett (Jun 24)
- Strange pings from 127.0.0.1 Andrew Aris (Jun 22)
  - Re: Strange pings from 127.0.0.1 Alan Hicks (Jun 23)
  - Re: Strange pings from 127.0.0.1 Kelly John Rose (Jun 23)
    - RE: Strange pings from 127.0.0.1 David Gillett (Jun 24)
    - RE: Strange pings from 127.0.0.1 Andrew Aris (Jun 24)
    - Re: Strange pings from 127.0.0.1 Kelly John Rose (Jun 25)
    - Re: Strange pings from 127.0.0.1 SecurityFocus Lists (Jun 24)
    - Re: Strange pings from 127.0.0.1 Kelly John Rose (Jun 25)
- Re: Strange pings from 127.0.0.1 Tim Schwimer (Jun 24)
  - RE: Strange pings from 127.0.0.1 David Gillett (Jun 25)
- RE: Strange pings from 127.0.0.1 Steven Trewick (Jun 24)
  - Re: Strange pings from 127.0.0.1 Ranjeet Shetye (Jun 26)
- RE: Strange pings from 127.0.0.1 Timothy Schwimer (Jun 28)